kelunik / acme Goto Github PK
View Code? Open in Web Editor NEWAsync ACME library written in PHP based on the Amp concurrency framework.
License: MIT License
Async ACME library written in PHP based on the Amp concurrency framework.
License: MIT License
Depends on php-src
support, see https://bugs.php.net/bug.php?id=61204 and php/php-src#1686
In the class Kelunik/Acme/AcmeService
the following piece of code occurs on multiple occasions in slightly different forms:
try {
return Authorization::fromResponse($url, $response->getBody()->buffer());
} catch (\Throwable $_) {
throw $this->generateException($response, $response->getBody()->buffer());
}
This can lead to the following Exception: "Can't buffer() a payload more than once" in /vendor/amphp/byte-stream/src/Payload.php(96)
This happens when there is a response which cannot be parsed successfully. The method $response->getBody()->buffer()
is called twice in this situation, resulting in the error above.
A solution for this issue could be to first store the responseBuffer in a local variable, to avoid reading it twice:
$responseBuffer = $response->getBody()->buffer()
try {
return Authorization::fromResponse($url, responseBuffer);
} catch (\Throwable $_) {
throw $this->generateException($response, responseBuffer);
}
If you prefer I could make a pull request for this
Certificates should be validated before being deployed.
I'm having an issues with amphp/dns: DefaultResolver.php, 632 - "Undefined offset: 8". I suspect this is a bug in amphp/dns which might have been resolved in a newer version of amphp/dns, seeing that the class DefaultResolver doesn't exist anymore.
Furthermore, I don't see much recent activity on the kelunik/acme repo. Is there any intention of working towards a new version which will use amphp/amp 2.x?
Following links to https://blog.kelunik.com/docs/acme/classes/AcmeService.html#register etc gives 404.
With ACME v2, it's now possible to issue wildcards.
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579
Depends on #31.
Hi, I really need the "namshi/jose": "^7",
constraint from master
that isn't present in the latest release 0.3.3
.
Is there a good reason why you haven't released the changes yet?
Thanks!
[Kelunik\Acme\AcmeException]
Invalid response: JWS has invalid anti-replay nonce oJ29ZCkwqoQ4yg6NOHQHRbbQn5UpC77hTql5AGy87FM.
Request URI: https://acme-staging.api.letsencrypt.org/acme/new-cert.
This exception happens when I use the same AcmeClient and AcmeService instantiation to complete a challenge and then request certificate in one script. When I just do one of them, there is no such problem. I'm not sure what's the real issue (it may be my mistake), so I'd appreciate any troubleshooting help.
Hi, is it possible to create a new release whenever it is safe to use?
We are using a fork of your repo atm, and fetched it recently to be up-to-date with yours.
Basically, our fork is equal to yours now. But you don't have a release yet with this new ACME v2 changes.
Let's Encrypt is now using ACME v2 protocol.
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579
For the creation of an CSR the dn parameter of openssl_csr_new only needs the definition of 'CN' to work with domain validated certificate.
https://github.com/kelunik/acme/blame/dd01ee543932b8ca51cb2b9d3fe2efd097fbba66/lib/AcmeService.php#L363 could be reduced to just:
$csr = openssl_csr_new([
"CN" => reset($domains),
], $privateKey, [
"digest_alg" => "sha256",
"req_extensions" => "v3_req",
"config" => $tempFile,
]);
The certificate download url (at least for dns-01
) returns HTTP 202 after it's done.
It is
"status": "valid",
but still is http 202.
Hence the current implementation loops forever.
I am using below command to renew certificate of one of my domain using lets encrypt service but after using the below command, I see that the certificate is renewed for only 5-6 days
php acme-client/bin/acme issue --domains example.com:www.example.com --path /home/peter/example:/home/peter/example --server letsencrypt
Is this expected or something is wrong in my command ?
It should be possible to pass CSRs instead of a list of domains when requesting a certificate.
The following line appends the SAN to the config file: OpenSSLCSRGenerator.php#L71
This behaviour is altered in: b078e8a
This results in openssl_csr_new()
returning false
. When using openssl_error_string()
the following error is returned: error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign
To resolve this . "\n" . $san . "\n"
should be removed.
There's a possibility to delete accounts. It should be supported by this library.
The Acme service can return certain error codes, as described here: https://letsencrypt.github.io/acme-spec/#rfc.section.5.4
Currently, HTTP errors will be thrown with the response body as plain text in the message.
It would be more useful to create a AcmeHttpException
which can be constructed using the response object and provides an actual useful message?
Invalid response code: 400 {"type":"urn:acme:error:badNonce","detail":"Unable to read/verify body :: JWS has invalid anti-replay nonce","status":400}
Could be:
Invalid Acme HTTP Response: badNonce (code 400). Unable to read/verify body :: JWS has invalid anti-replay nonce.
Issue mentioned in: https://community.letsencrypt.org/t/breaking-changes-in-asynchronous-order-finalization-api/195882
Our client implementation was relying on the finalizeOrder
response, which should return the Order object.
However, it looks like the finalizeOrder response does not longer contain the location uri for the order as of today.
Therefor, we needed to update our implementation to resolve the order once again after finalising the order.
if ($response->getStatus() === 200) {
return Order::fromResponse($response->getHeader('location'), $response->getBody()->buffer());
}
CAA records are now enforced and issue attempts which are blocked due to CAA give an unhelpful error message currently. A CAA validator should be added to catch such errors early and provide helpful error messages.
I'm having trouble using dns01 challenge.
As far as i can understand from the token received from the challenge I have to generated a string to put in the _acme-challenge.[domain] dns record.
I've tried to use generateHttp01Payload and use this as the string for the dns record and the payload, but I always get Challenge marked as invalid! from the staging server.
Can you please help?
- Removing amphp/amp (v1.0.7)
- Installing amphp/amp (v1.1.0)
Loading from cache
- Removing amphp/dns (v0.8.5)
- Installing amphp/dns (v0.8.7)
Loading from cache
- Updating amphp/artax (2.0.2 => v2.0.3)
Checking out cc665ac890322188bad8b80722d64af6207b770d
There are none!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.